This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Front Range OWASP Conference 2013/Presentations"
Jess Garrett (talk | contribs) |
Jess Garrett (talk | contribs) |
||
Line 11: | Line 11: | ||
In this paper we will be going over the various aspects to the developer DevFu toolbox including: deep programming knowledge, ability to write scripts on the fly, common shortcuts and their pitfalls, speaking the language, and secure coding practices. We will go over specific examples of scripts that increase productivity and extend functionality of existing pen testing programs. | In this paper we will be going over the various aspects to the developer DevFu toolbox including: deep programming knowledge, ability to write scripts on the fly, common shortcuts and their pitfalls, speaking the language, and secure coding practices. We will go over specific examples of scripts that increase productivity and extend functionality of existing pen testing programs. | ||
− | |||
===SIP Based Cloud Instances=== | ===SIP Based Cloud Instances=== | ||
Line 24: | Line 23: | ||
Lastly I will demonstrate how to properly setup a Linux server to host local based domains for secure deployment. In addition I will also show how to properly deploy Cherokee and Apache web servers for hosting sip domains. Finally I will show how to properly configure the sip domains to the Linux based firmware network appliance. At the end of the presentation a viewer will know how to properly deploy Linux server for SIP domain hosting and how to create secure cloud instances with SIP. | Lastly I will demonstrate how to properly setup a Linux server to host local based domains for secure deployment. In addition I will also show how to properly deploy Cherokee and Apache web servers for hosting sip domains. Finally I will show how to properly configure the sip domains to the Linux based firmware network appliance. At the end of the presentation a viewer will know how to properly deploy Linux server for SIP domain hosting and how to create secure cloud instances with SIP. | ||
− | |||
===Measuring Best Security Practices With Open SAMM=== | ===Measuring Best Security Practices With Open SAMM=== | ||
Line 33: | Line 31: | ||
'''Abstract: '''Security is becoming a competitive advantage in the marketplace. How do we ensure that security is built into products for our customers? Security vulnerabilities can be introduced at any phase of the software development life cycle (SDLC). The Open Software Assurance Maturity Model (OpenSAMM) is lightweight, flexible framework that helps prevent vulnerabilities and improve security during software development. We should adopt OpenSAMM to measure security best practices and improve our security processes, tools and knowledge. | '''Abstract: '''Security is becoming a competitive advantage in the marketplace. How do we ensure that security is built into products for our customers? Security vulnerabilities can be introduced at any phase of the software development life cycle (SDLC). The Open Software Assurance Maturity Model (OpenSAMM) is lightweight, flexible framework that helps prevent vulnerabilities and improve security during software development. We should adopt OpenSAMM to measure security best practices and improve our security processes, tools and knowledge. | ||
− | |||
===Electronic Discovery for System Administrators=== | ===Electronic Discovery for System Administrators=== | ||
Line 44: | Line 41: | ||
This presentation is designed to present an overview of the discovery process, how it differs from traditional computer forensics, and tips for administrators and managers to better assist in the production of ESI in the event of litigation (and hopefully to reduce the costs associated with production). | This presentation is designed to present an overview of the discovery process, how it differs from traditional computer forensics, and tips for administrators and managers to better assist in the production of ESI in the event of litigation (and hopefully to reduce the costs associated with production). | ||
− | |||
Line 63: | Line 59: | ||
How many vulnerable websites were discovered? What attacks were they most susceptible to? Which Header fields are most likely to be vulnerable? We will look into these questions and a host of other data collected during the research. We will also discuss defensive techniques around HTTP header abuse and how to efficiently audit a sites HTTP Header fields for vulnerabilities. | How many vulnerable websites were discovered? What attacks were they most susceptible to? Which Header fields are most likely to be vulnerable? We will look into these questions and a host of other data collected during the research. We will also discuss defensive techniques around HTTP header abuse and how to efficiently audit a sites HTTP Header fields for vulnerabilities. | ||
− | |||
===How Malware Attacks Web Applications=== | ===How Malware Attacks Web Applications=== | ||
Line 83: | Line 78: | ||
-Countermeasures | -Countermeasures | ||
* How to detect malware interacting with your web applications. | * How to detect malware interacting with your web applications. | ||
− | |||
===Software Assurance Improvements Through Innovation and Collaboration=== | ===Software Assurance Improvements Through Innovation and Collaboration=== | ||
Line 92: | Line 86: | ||
'''Abstract: '''Software weaknesses lead to vulnerabilities that put our nation’s critical resources at risk. Software size and complexity introduces risks and impacts the overall quality of software. The material that will be covered in this session addresses areas of research to addresses key problems areas in Software Assurance. | '''Abstract: '''Software weaknesses lead to vulnerabilities that put our nation’s critical resources at risk. Software size and complexity introduces risks and impacts the overall quality of software. The material that will be covered in this session addresses areas of research to addresses key problems areas in Software Assurance. | ||
− | |||
===CISPA Why Privacy Advocates This Legislation=== | ===CISPA Why Privacy Advocates This Legislation=== | ||
Line 105: | Line 98: | ||
Some critics saw CISPA as a second attempt at strengthening digital piracy laws after the anti-piracy Stop Online Piracy Act became deeply unpopular. Intellectual property theft was initially listed in the bill as a possible cause for sharing Web traffic information with the government, though it was removed in subsequent drafts. | Some critics saw CISPA as a second attempt at strengthening digital piracy laws after the anti-piracy Stop Online Piracy Act became deeply unpopular. Intellectual property theft was initially listed in the bill as a possible cause for sharing Web traffic information with the government, though it was removed in subsequent drafts. | ||
− | |||
− | |||
Line 118: | Line 109: | ||
'''Abstract: '''Recently Renault announced "what it describes as a “tablet,” an integrated Android device built into its next range of cars, effectively opening the way to the car-as-a-platform. The car is becoming a new platform. We need developers to work on apps.” Not to be left behind Ford has introduced the OpenXC platform, which it sees as a channel for collaboration between Ford and 3rd party application developers. What role will security play in shaping this newly emerging technology, when your car can tweet it needs an oil change? Cars rely heavily on small embedded microprocessors running on a network that was never designed to be secure. This talk will look at the current technologies used CAN bus, OBDII, and tire pressure monitoring systems and demonstrate their inherent weaknesses. What should be considered in the future when most cars will be connected to the Internet? | '''Abstract: '''Recently Renault announced "what it describes as a “tablet,” an integrated Android device built into its next range of cars, effectively opening the way to the car-as-a-platform. The car is becoming a new platform. We need developers to work on apps.” Not to be left behind Ford has introduced the OpenXC platform, which it sees as a channel for collaboration between Ford and 3rd party application developers. What role will security play in shaping this newly emerging technology, when your car can tweet it needs an oil change? Cars rely heavily on small embedded microprocessors running on a network that was never designed to be secure. This talk will look at the current technologies used CAN bus, OBDII, and tire pressure monitoring systems and demonstrate their inherent weaknesses. What should be considered in the future when most cars will be connected to the Internet? | ||
− | + | ===Top Ten Web Application Defenses=== | |
− | |||
'''Speaker: '''Jim Manico | '''Speaker: '''Jim Manico | ||
Line 127: | Line 117: | ||
'''Abstract: '''We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application. | '''Abstract: '''We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application. | ||
− | + | ===Using SaaS and the Cloud to Secure the SDLC=== | |
− | |||
'''Speaker: '''Andrew Earle | '''Speaker: '''Andrew Earle | ||
Line 145: | Line 134: | ||
- How organizations can use SaaS to get started with application security and mature into a robust software security assurance program featuring on-premise and cloud deployments. | - How organizations can use SaaS to get started with application security and mature into a robust software security assurance program featuring on-premise and cloud deployments. | ||
− | + | ===Digital Bounty Hunters - Decoding Bug Bounty Programs=== | |
− | |||
'''Speaker: '''Jon Rose | '''Speaker: '''Jon Rose | ||
Line 159: | Line 147: | ||
Ultimately, what is the future for these bug bounty programs? Will they disrupt the existing marketplace for professional security consultant services by offering a cheaper, more effective crowd-sourced approach? Or are these programs simply a tool for the most advanced, most daring companies to take their security programs to the next level. | Ultimately, what is the future for these bug bounty programs? Will they disrupt the existing marketplace for professional security consultant services by offering a cheaper, more effective crowd-sourced approach? Or are these programs simply a tool for the most advanced, most daring companies to take their security programs to the next level. | ||
− | |||
− | |||
=='''Session 4: 13:35-14:20'''== | =='''Session 4: 13:35-14:20'''== | ||
− | + | ===Real World Cloud Application Security=== | |
'''Speaker: '''Jason Chan | '''Speaker: '''Jason Chan | ||
Line 179: | Line 165: | ||
-Cultural integration of security in DevOps/agile organizations | -Cultural integration of security in DevOps/agile organizations | ||
− | + | ===A Demo of and Preventing XSS in .NET Applications=== | |
− | |||
'''Speaker: '''Larry Conklin | '''Speaker: '''Larry Conklin | ||
Line 188: | Line 173: | ||
'''Abstract: '''My presentation is titled “A Demo of and Preventing XSS in .Net applications” Presentation will include using Microsoft’s Web Protection Library/AntiXSS and OWASP’s AntiSamy.NET project and using CAT.Net to find XSS vulnerabilities in .NET applications. | '''Abstract: '''My presentation is titled “A Demo of and Preventing XSS in .Net applications” Presentation will include using Microsoft’s Web Protection Library/AntiXSS and OWASP’s AntiSamy.NET project and using CAT.Net to find XSS vulnerabilities in .NET applications. | ||
− | + | ===Defending Desktop (.NET/C#) Applications: Mitigating in the Dark (A Case Study Remix)=== | |
− | |||
'''Speaker: '''Jon McCoy | '''Speaker: '''Jon McCoy | ||
Line 197: | Line 181: | ||
'''Abstract: '''This presentation is on the case study(s) of desktop applications undergoing a cracking/hacking/attacking life cycle. This is the summation of multiple software projects undergoing attacks from a detected and focused attacker. This presentation follows a Product Owner(s) and Coder(s) going from a self directed response. Your software project has been going for years, your client base is growing, your making deadlines then one day some e-mail shows up and your world starts to crumble. Crack after Crack keeps coming out every version; Your new Upgrades/Code keep showing up in a competing product; Malware keeps hitting your clients. See the steps taken by day-to-day product Owner(s) and Coder(s) as they respond to security events that never crossed their minds as potential threats. | '''Abstract: '''This presentation is on the case study(s) of desktop applications undergoing a cracking/hacking/attacking life cycle. This is the summation of multiple software projects undergoing attacks from a detected and focused attacker. This presentation follows a Product Owner(s) and Coder(s) going from a self directed response. Your software project has been going for years, your client base is growing, your making deadlines then one day some e-mail shows up and your world starts to crumble. Crack after Crack keeps coming out every version; Your new Upgrades/Code keep showing up in a competing product; Malware keeps hitting your clients. See the steps taken by day-to-day product Owner(s) and Coder(s) as they respond to security events that never crossed their minds as potential threats. | ||
− | + | ===Crafting a Plan for When Security Fails=== | |
− | |||
'''Speaker: '''Robert Lelewski | '''Speaker: '''Robert Lelewski | ||
Line 211: | Line 194: | ||
Crafting an Incident Response Plan is a presentation geared towards those wishing to learn more about creating a viable computer security incident response plan (CSIRP). | Crafting an Incident Response Plan is a presentation geared towards those wishing to learn more about creating a viable computer security incident response plan (CSIRP). | ||
− | |||
− | |||
=='''Session 5: 14:30-15:15'''== | =='''Session 5: 14:30-15:15'''== | ||
− | + | ===DevOps and Security: It's Happening. Right Now.=== | |
'''Speaker: '''Helen Bravo | '''Speaker: '''Helen Bravo | ||
Line 230: | Line 211: | ||
•Pinpoint precise security code flaws and provide optimal fix recommendations | •Pinpoint precise security code flaws and provide optimal fix recommendations | ||
− | + | ===Data Mining a Mountain of Zero Day Vulnerabilities=== | |
− | |||
'''Speaker: '''Joe Brady | '''Speaker: '''Joe Brady | ||
Line 239: | Line 219: | ||
'''Abstract: '''Every day, software developers around the world, from Bangalore to Silicon Valley, churn out millions of lines of insecure code. We used static binary analysis on thousands of applications submitted to us by large enterprises, commercial software vendors, open source projects, and software outsourcers, to create an anonymized vulnerability data set. By mining this data we can answer some interesting questions. What types of mistakes do developers make most often? Are we making any progress at eradicating XSS and SQL injection? How long does it really take to remediate software vulnerabilities? How secure are third party software components? We will address these questions and many others, giving you a deep dive into metrics at a scale that can't be found anywhere else. | '''Abstract: '''Every day, software developers around the world, from Bangalore to Silicon Valley, churn out millions of lines of insecure code. We used static binary analysis on thousands of applications submitted to us by large enterprises, commercial software vendors, open source projects, and software outsourcers, to create an anonymized vulnerability data set. By mining this data we can answer some interesting questions. What types of mistakes do developers make most often? Are we making any progress at eradicating XSS and SQL injection? How long does it really take to remediate software vulnerabilities? How secure are third party software components? We will address these questions and many others, giving you a deep dive into metrics at a scale that can't be found anywhere else. | ||
− | + | ===Linking Security to Business Value in the Customer Service Industry=== | |
− | |||
'''Speaker: '''Dan Rojas | '''Speaker: '''Dan Rojas | ||
Line 257: | Line 236: | ||
Call Centers as well as other types of businesses that can address consumers demand for privacy protections can improve their long term bottom line through TRUST and customer loyalty. | Call Centers as well as other types of businesses that can address consumers demand for privacy protections can improve their long term bottom line through TRUST and customer loyalty. | ||
− | + | ===Information Control: The Critical Need for a Defensible Position - Securing the Information Ecosystem=== | |
− | |||
'''Speaker: '''Tom Glanville | '''Speaker: '''Tom Glanville |
Revision as of 23:35, 7 March 2013
Session 1: 10:00-10:45
DevFu: The inner ninja in every application developer
Speaker: Danny Chrastil
Track: Technical
Abstract: Many times we try to draw a distinct line between developers and penetration testers. This creates a barrier that developers often feel intimidated to cross. The truth is that developers have an innate ability and perspective to become great penetration testers themselves.
Developers in the security industry carry a unique toolset as ethical hackers / security consultants that sets them apart from traditional penetration testers. By incorporating these skills as developers and combining them with the understanding and experience of building applications, developers can take web application penetration testing a step further than the rest.
In this paper we will be going over the various aspects to the developer DevFu toolbox including: deep programming knowledge, ability to write scripts on the fly, common shortcuts and their pitfalls, speaking the language, and secure coding practices. We will go over specific examples of scripts that increase productivity and extend functionality of existing pen testing programs.
SIP Based Cloud Instances
Speaker: Gregory Disney-Leugers
Track: Deep Dive
Abstract: In this presentation I will demonstrate the practical applications of SIP protocol for local cloud instances and how to create secure connections the cloud using SIP forwarding. Further I will present methods of securing cloud and data by using a Linux firmware router to host local based cloud domains, I will also show secure methods of deploying these systems. In addition I will also show secure methods of using PHP and databases using Sqlite and MongoDB, while using a distributing computing between a Linux server and a Linux based firmware network appliance.
One of the practical application I plan on presenting is using Cloud based SIP as replacement for Samba for file sharing in a corporate environment with S3 and WebDAV; Another application I will present on is creating a local domain such HTTPS://cloud.router.sip.com and how to connect to the cloud from a mobile phone using sip forwarding with SSL tunneling. Lastly I will show how to use SIP based domains on VPN's and to create a private clouds that have a single point of access.
Lastly I will demonstrate how to properly setup a Linux server to host local based domains for secure deployment. In addition I will also show how to properly deploy Cherokee and Apache web servers for hosting sip domains. Finally I will show how to properly configure the sip domains to the Linux based firmware network appliance. At the end of the presentation a viewer will know how to properly deploy Linux server for SIP domain hosting and how to create secure cloud instances with SIP.
Measuring Best Security Practices With Open SAMM
Speaker: Alan Jex
Track: Management
Abstract: Security is becoming a competitive advantage in the marketplace. How do we ensure that security is built into products for our customers? Security vulnerabilities can be introduced at any phase of the software development life cycle (SDLC). The Open Software Assurance Maturity Model (OpenSAMM) is lightweight, flexible framework that helps prevent vulnerabilities and improve security during software development. We should adopt OpenSAMM to measure security best practices and improve our security processes, tools and knowledge.
Electronic Discovery for System Administrators
Speaker: Russell Shumway
Track: Executive/Legal
Abstract: As the Federal Rules of Evidence have evolved over the last several years, and as the volume of information in digital format has overtaken traditional printed media, electronic discovery had become more important than traditional paper-based discovery in litigation. While vendors can help with production, system administrators play a key role in the acquisition and production of Electronically Stored Information (ESI).
This presentation is designed to present an overview of the discovery process, how it differs from traditional computer forensics, and tips for administrators and managers to better assist in the production of ESI in the event of litigation (and hopefully to reduce the costs associated with production).
Session 2: 10:55-11:40
Adventures in Large Scale HTTP Header Abuse
Speaker: Zachary Wolff
Track: Technical
Abstract: While the technique of sending malicious data through HTTP Header fields is not new or unheard of by any means, there is certainly a noticeable lack of available information on the topic. For this reason I set out to to do some research and testing of my own.
It didn't take long to find a site that was vulnerable to an HTTP Header attack and the question I found myself asking was how wide spread is this problem?
Tracking down an answer to this question was not an easy task. In the end it involved the writing of two new tools and then a 'random' audit of 1.6 Million websites.
In this presentation we will look briefly at the history of HTTP Header attacks, the logic that went into the creation of an HTTP Header Audit tool, and most interestingly the findings of the test run.
How many vulnerable websites were discovered? What attacks were they most susceptible to? Which Header fields are most likely to be vulnerable? We will look into these questions and a host of other data collected during the research. We will also discuss defensive techniques around HTTP header abuse and how to efficiently audit a sites HTTP Header fields for vulnerabilities.
How Malware Attacks Web Applications
Speaker: Casey Smith
Track: Deep Dive
Abstract: Modern malware has outpaced the ability for traditional defenses to detect and contain the threats. The core of the presentation will be about several techniques used by malware to attack web applications:
-WebInjects (aka Man-in-the-Browser)
- Files that contain JavaScript and HTML in order to alter the user experience in the application.
-Form-Grabbing
- The technique for capturing web form data within browsers.
-Session Hijacking
- The ability to redirect control of a session to an attacker.
-Persistence and Stealth
- How does the malware go undetected, for so long?
-Countermeasures
- How to detect malware interacting with your web applications.
Software Assurance Improvements Through Innovation and Collaboration
Speaker: Kevin Greene
Track: Management
Abstract: Software weaknesses lead to vulnerabilities that put our nation’s critical resources at risk. Software size and complexity introduces risks and impacts the overall quality of software. The material that will be covered in this session addresses areas of research to addresses key problems areas in Software Assurance.
CISPA Why Privacy Advocates This Legislation
Speaker: Maureen Donohue Feinroth
Track: Executive/Legal
Abstract: Reintroduced in the House of Representatives on February 13, 2013, the Cyber Intelligence Sharing and Protection Act (CISPA) is a proposed US law which would allow for the sharing of Internet traffic information between the U.S. government and certain technology and manufacturing companies. The stated aim of the bill is to help the U.S government investigate cyber threats and ensure the security of networks against cyberattack.
CISPA has been criticized by advocates of Internet privacy and civil liberties, such as the Electronic Frontier Foundation, the American Civil Liberties Union, and Avaaz.org. Those groups argue CISPA contains too few limits on how and when the government may monitor a private individual’s Internet browsing information. Additionally, they fear that such new powers could be used to spy on the general public rather than to pursue malicious hackers. CISPA has garnered favor from corporations and lobbying groups such as Microsoft, Facebook and the United States Chamber of Commerce, which look on it as a simple and effective means of sharing important cyber threat information with the government.
Some critics saw CISPA as a second attempt at strengthening digital piracy laws after the anti-piracy Stop Online Piracy Act became deeply unpopular. Intellectual property theft was initially listed in the bill as a possible cause for sharing Web traffic information with the government, though it was removed in subsequent drafts.
Session 3: 12:40-13:25
Angry Cars: Hacking the "Car as Platform"
Speaker: Aaron Weaver
Room/Track: Technical
Abstract: Recently Renault announced "what it describes as a “tablet,” an integrated Android device built into its next range of cars, effectively opening the way to the car-as-a-platform. The car is becoming a new platform. We need developers to work on apps.” Not to be left behind Ford has introduced the OpenXC platform, which it sees as a channel for collaboration between Ford and 3rd party application developers. What role will security play in shaping this newly emerging technology, when your car can tweet it needs an oil change? Cars rely heavily on small embedded microprocessors running on a network that was never designed to be secure. This talk will look at the current technologies used CAN bus, OBDII, and tire pressure monitoring systems and demonstrate their inherent weaknesses. What should be considered in the future when most cars will be connected to the Internet?
Top Ten Web Application Defenses
Speaker: Jim Manico
Track: Deep Dive
Abstract: We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.
Using SaaS and the Cloud to Secure the SDLC
Speaker: Andrew Earle
Track: Management
Abstract: This session will cover SaaS offerings and how they can be effectively utilized in web security development efforts. Over the last few years, cloud services (i.e. SaaS) have been increasingly used as both a starting point for application security efforts and as a full outsourcing of the appsec program. However, by the very nature of cloud outsourcing and delivery, it is difficult to evolve this approach into a mature secure development lifecycle. Developer involvement is a necessity, and the solution has been to bring vulnerability assessment technologies in house. But recently, organizations have started to deploy a mixture of on-premise and cloud appsec solutions as an alternative to the all or nothing paradigm of on-premise or SaaS.
Topics covered include: - Overview of vulnerability assessment using SaaS - Overview of on-premise vulnerability scanning in the SDLC - Challenges of on-premise and SaaS implementations - Private cloud variations of on-premise and SaaS offerings - Hybrid on-premise/cloud implementations in the SDLC - Use of automation and integration with development infrastructure to ease developer adoption of on-premise/cloud appsec implementations - How organizations can use SaaS to get started with application security and mature into a robust software security assurance program featuring on-premise and cloud deployments.
Digital Bounty Hunters - Decoding Bug Bounty Programs
Speaker: Jon Rose
Track: Executive/Legal
Abstract: Let’s deconstruct the world of digital bounty hunters.
Amid the growing trend to “crowd source” services, a few progressive enterprises are taking a new approach to information security. A potential game-changer, these companies are shifting the traditional model of IT risk assessment by opening their doors -- and their wallets -- to freelance hackers who break in without fear of legal repercussions. Bug Bounty Programs pay cash money to hackers for responsibly disclosing security vulnerabilities on production applications and networks.
From the vantage point of the bounty hunter, this presentation will examine who these freelance hackers are, their motivations, and their perspective on the value of bug bounty programs. It is equally as important to understand the perspective of the individuals that run these programs, how the programs fit into a comprehensive, information security framework, as well as key successes and failures to date of this new crowd-sourced model. As part of this, the discussion will review metrics from an existing program and highlight some of the more interesting bugs discovered.
Ultimately, what is the future for these bug bounty programs? Will they disrupt the existing marketplace for professional security consultant services by offering a cheaper, more effective crowd-sourced approach? Or are these programs simply a tool for the most advanced, most daring companies to take their security programs to the next level.
Session 4: 13:35-14:20
Real World Cloud Application Security
Speaker: Jason Chan
Track: Technical
Abstract: This presentation will provide the audience with a case study of how real world organizations using the public cloud are approaching application security. Netflix, one of the largest AWS and public cloud users in the world, will serve as the subject of the case study.
I will cover a variety of topics of interest to application security personnel, including:
-Automating and integrating security into CI/CD environments -Large scale vulnerability management -Continuous security testing and monitoring, including Netflix's Security Monkey and Exploit Monkey frameworks -Cultural integration of security in DevOps/agile organizations
A Demo of and Preventing XSS in .NET Applications
Speaker: Larry Conklin
Track: Deep Dive
Abstract: My presentation is titled “A Demo of and Preventing XSS in .Net applications” Presentation will include using Microsoft’s Web Protection Library/AntiXSS and OWASP’s AntiSamy.NET project and using CAT.Net to find XSS vulnerabilities in .NET applications.
Defending Desktop (.NET/C#) Applications: Mitigating in the Dark (A Case Study Remix)
Speaker: Jon McCoy
Track: Management
Abstract: This presentation is on the case study(s) of desktop applications undergoing a cracking/hacking/attacking life cycle. This is the summation of multiple software projects undergoing attacks from a detected and focused attacker. This presentation follows a Product Owner(s) and Coder(s) going from a self directed response. Your software project has been going for years, your client base is growing, your making deadlines then one day some e-mail shows up and your world starts to crumble. Crack after Crack keeps coming out every version; Your new Upgrades/Code keep showing up in a competing product; Malware keeps hitting your clients. See the steps taken by day-to-day product Owner(s) and Coder(s) as they respond to security events that never crossed their minds as potential threats.
Crafting a Plan for When Security Fails
Speaker: Robert Lelewski
Track: Executive/Legal
Abstract: A computer security incident, whether an exposed system with protected data or a hacked application, requires a planned response to quickly address and contain the threat. We exist in a world where having a plan is a necessity. Companies in various industries possess vast amounts of regulated and confidential data; this arrangement places a great amount of responsibility on the custodian. Unfortunately, in today's world, it is almost inevitable that you will be the target of an attack or mishandle data that may cause a potential exposure. Do you have a codified plan that helps guide your response?
CSIRPs are robust documents that are difficult to create. Developing a CSIRP that takes into account organizational culture and existing structure, creates buy-in from various departments, and is applicable in a wide array of emerging and existing threats while balancing substance and brevity may be a herculean task.
This presentation will provide the basis for the need for a CSIRP, discuss pitfalls and strategies when crafting CSIRPs, explore common ways they fail, and offer tips to create a healthy, viable, and useful process to use when confronting a computer security incident.
Crafting an Incident Response Plan is a presentation geared towards those wishing to learn more about creating a viable computer security incident response plan (CSIRP).
Session 5: 14:30-15:15
DevOps and Security: It's Happening. Right Now.
Speaker: Helen Bravo
Track: Technical
Abstract: How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated.
Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary code analysis overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes. Steps include:
•Re-evaluate existing security tools and consider their integration within a CD environment •Deliver a secured development framework and enforce its usage •Pinpoint precise security code flaws and provide optimal fix recommendations
Data Mining a Mountain of Zero Day Vulnerabilities
Speaker: Joe Brady
Track: Deep Dive
Abstract: Every day, software developers around the world, from Bangalore to Silicon Valley, churn out millions of lines of insecure code. We used static binary analysis on thousands of applications submitted to us by large enterprises, commercial software vendors, open source projects, and software outsourcers, to create an anonymized vulnerability data set. By mining this data we can answer some interesting questions. What types of mistakes do developers make most often? Are we making any progress at eradicating XSS and SQL injection? How long does it really take to remediate software vulnerabilities? How secure are third party software components? We will address these questions and many others, giving you a deep dive into metrics at a scale that can't be found anywhere else.
Linking Security to Business Value in the Customer Service Industry
Speaker: Dan Rojas
Track: Management
Abstract: The value of trust cannot be understated when discussing Superior Customer Service. “The main benefit of trust is customer loyalty, which in turn leads to a longer term relationship, greater share of wallet, and higher advocacy or word of mouth. Results from our consumer survey show that emotional and rational trust drive between 22% and 44% of customer loyalty.” - Study by ESCP Europe Business School
Privacy protection is a pillar of trust. Studies show PRIVACY is of paramount importance to consumers and is growing in importance. A 2012 Ponemon Institute study on the “Most trusted companies on privacy” found that while the importance of privacy has grown over the last seven years, the loss of control over privacy has also grown as well.
The Call Center industry is at the confluence of these competing social and business priorities. On the one hand, the customer service representative (CSR) must engender competence and trustworthiness and on the other hand CSR must ask the caller for a credit card number or social security number, the most private and personal valuable pieces of information a consumer possesses.
Where there is a gap in expectations between consumers and businesses, there is an opportunity for business to differentiate themselves and fill the gap and win market share. This opportunity is being realized by emerging technology designed to satisfy Compliance standards as well as real consumer demand for privacy protections.
Call Centers as well as other types of businesses that can address consumers demand for privacy protections can improve their long term bottom line through TRUST and customer loyalty.
Information Control: The Critical Need for a Defensible Position - Securing the Information Ecosystem
Speaker: Tom Glanville
Track: Executive/Legal
Abstract: Given an overview of Identity Theft, fraud and information exposure participants will discover that the liability of these issues is much broader than they are prepared to manage.
Given case studies and stories from field experience, participants will identify gaps in information compliance policies and practices that place every organization at risk beyond areas of commerce, compliance, and technology.
Upon completion of the session participants will recognize critical gaps in their information ecosystem that need to be addressed in order to create a defensible position in the case of a breach.